CVE-2026-22240

The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.

CVSS

No CVSS.

References

Link	Resource
https://blusparkglobal.com/bluvoyix/

Configurations

No configuration.

History

14 Jan 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-14 15:16

Updated : 2026-01-14 16:25

NVD link : CVE-2026-22240

Mitre link : CVE-2026-22240

CVE.ORG link : CVE-2026-22240

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-312

Cleartext Storage of Sensitive Information

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-22240", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-14T15:16:05.413", "references": [{"url": "https://blusparkglobal.com/bluvoyix/", "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password."}], "lastModified": "2026-01-14T16:25:12.057", "sourceIdentifier": "56a186b1-7f5e-4314-ba38-38d5499fccfd"}